Sure, there is a strong ideological argument why you should not have strong identities required in the internet in general (or even in offline) and on porn sites specifically, but the argument is not technical.

It's not impossible to design a cryptographic system where law enforcement is a party within it. The false dichotomy of encrypted or not encrypted in my opinion is used to shutdown the conversation since it's easy to argue why no encryption is bad. It's a strawman.

Technologies like the mdl standard [1] can attest to age without revealing the users identity.

As Cory points out, its still possible for kids to swipe someones ID and use that. There are probably practical solutions that are good enough. Android, iOS, and parents could work together to deal with the problem of stolen IDs. If mdl is implemented on devices such that they are managed by the device OS, that would lead to auditability. Parents can ask their child to see their phones ID app, which will show full roster of IDs on the child's device. If a parent sees an ID that shouldn't be there, they can have a conversation about it. In this way the law would be about empowering parents to shape their child's online experience. This is just a straw-man example solution, but there may be better ones.

The other objections I saw could be worked through in a similarly pragmatic fashion.

This is probably going to be good enough for most folks, and its probably a good thing to keep children away from pornography and such. And IMO coming up with a "good enough" solution will flush out all the bad actors who are hiding behind the excuse of "save the children" when really they want to build up an record of everyone's browsing history. But by denying any solution to a real problem, we let the bad actors hide amongst the well-intentioned folks who are trying to do the right thing.

[1] https://en.wikipedia.org/wiki/Mobile_driver%27s_license

it is possible if you accept that it only needs to be good enough

- it's fully okay if it can be deceived in all kinds of ways

- verifying only once per account is okay, if a adult passes their verified account to a child that their responsibility

- legally not just forbid but criminalize (with required prison sentence) the storing of any data except is adult yes/no from a age verification process

- allow a OS accounts to just tell applications (including websites) that "is 18", if a age verification was done in the account, also no singing or anything cryptographically, because again it's good enough no need to protect it against hacking, the main responsibility still lies with the parents

so then you can do a single age verification per OS account, once, and be done with

furthermore this verification could e.g. go through a process which might identify you identity but a) isn't allowed to pass anything but adult yes/no to anyone else b) isn't allowed to store that info c) on a storing it is a "criminal liability" level where a CTO ordering data collection would go to prison

through if you live in a country where everyone has a passport with NFC chips (e.g. all of EU) just adding a "adult yes/no" function(1) to it + a transparent (open source, non profit) app per country to bridge it to accounts which need verification would do the job without needing the extra strict criminalize abuse part.

Which brings us to the main problem:

- requiring politicians to accept a "good enough" solution, accept that the main responsibility still lies with the parent

- politicians not abusing it to spy on their population

- make laws to prevent companies from ab-using "age verification" to collect private data

and that seems indeed impossible

---

(1): Technically I think it does exist, somewhat in many passes already. But practically it not viable as it (I think) discloses too much information and has too much issues wrt. integrating it (wrt. certificate nonsense)

I'm not a privacy hardliner, and I think the socially acceptable tradeoff between privacy and security have been well established before the computer era - if the police has a well-enough established suspicion against you - they can get a warrant and search your home. That's due process.

I would accept if there was a digital version of that which targeted not the encryption itself (which could be as strong as possible) - but the endpoints, like smartphones and computers.

Let's say police had a device which they could plug into your phone, which would send a specially signed message - a digital warrant, containing all the info a real warrant would - which be permanently be burned into the ROM of your phone, after which the phone would surrender its encryption keys, and the police could dump your unencrypted disk.

The phone would be then presented as evidence at the trial, and not following due process would be a cause for mistrial, no matter what they find there.

The general public would be safe in the knowledge that as long as the police isn't hauling them in, their secrets are safe, and the government would get the tools for what they claimed they wanted - a way to catch bad guys with digital tools.

Websites can request data from the user by sending that certificate, it opens the app, it shows you the categories of data to be send, you hold your ID card to the phone, enter the PIN, and the certificate is uploaded to the ID card which verifies it. If its valid, the ID sends back the data that is specified in the certificate.

You then get presented with exactly the data that is going to be sent to the website. You can then agree or disagree. So far that is only used to log in to government websites.

This way the government does not know which sites you visit, and you only send your age to the website.